formbook | 5c7f3940dc39fd1f58d2d5a3d8666d6530ceb4ae9271dd3261d4f2523f517fb8

General

Target

tochi8890.exe
Size

380KB
MD5

e6a3f8446e8c63e54c07d19e998beadc
SHA1

6ca4d481b05669ea71d3bc4bad3ba4cb8b08a83a
SHA256

5c7f3940dc39fd1f58d2d5a3d8666d6530ceb4ae9271dd3261d4f2523f517fb8
SHA512

2f54a3c6a38fddb04f8bf18fa7e0b6b59ee8c50833da05c6ad400680d4a7c484f52e07dd932f5395dd38fe539f4ae14be5418fc9c24d0261d1a05814a4c2fa60
SSDEEP

6144:XEbDTKQSvqBwF02+YAUKl1NT9nDT43GhfKHW42g7w7tBD/6pV5lPhDoLVX/sQwlq:8cT2/U8rTxDT7fK2Xg7w7bDipVto9/DH

Score

10^/10

formbook lh24 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

lh24

Decoy

50spage.com

acesalamo.xyz

magicair.org.uk

jrroyalps.com

hohot.xyz

affichecrea.com

2048xtw.net

atlas-pars.com

cqxjbz.com

180bingxue.com

coupdechacal.com

k00050.com

twin-vitro.net

haverninstitute.com

espada-japonesa.com

launchcu.info

discountauto.club

8o7eventhebrand.com

fishersmarinaandcampground.com

crystalfloodplain.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3148-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3808-145-0x0000000000670000-0x000000000069F000-memory.dmp	formbook
behavioral2/memory/3808-149-0x0000000000670000-0x000000000069F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ttyoe.exettyoe.exe

pid process

4784 ttyoe.exe
3148 ttyoe.exe

pid	process
4784	ttyoe.exe
3148	ttyoe.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ttyoe.exettyoe.exeipconfig.exe

description	pid	process	target process
PID 4784 set thread context of 3148	4784	ttyoe.exe	ttyoe.exe
PID 3148 set thread context of 2716	3148	ttyoe.exe	Explorer.EXE
PID 3808 set thread context of 2716	3808	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3808 ipconfig.exe

pid	process
3808	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

ttyoe.exeipconfig.exe

pid	process
3148	ttyoe.exe
3148	ttyoe.exe
3148	ttyoe.exe
3148	ttyoe.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe
3808	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2716 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ttyoe.exettyoe.exeipconfig.exe

pid process

4784 ttyoe.exe
3148 ttyoe.exe
3148 ttyoe.exe
3148 ttyoe.exe
3808 ipconfig.exe
3808 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ttyoe.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 3148 ttyoe.exe
Token: SeDebugPrivilege 3808 ipconfig.exe

pid	process
2716	Explorer.EXE

pid	process
4784	ttyoe.exe
3148	ttyoe.exe
3148	ttyoe.exe
3148	ttyoe.exe
3808	ipconfig.exe
3808	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	3148	ttyoe.exe
Token: SeDebugPrivilege	3808	ipconfig.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tochi8890.exettyoe.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 448 wrote to memory of 4784	448	tochi8890.exe	ttyoe.exe
PID 448 wrote to memory of 4784	448	tochi8890.exe	ttyoe.exe
PID 448 wrote to memory of 4784	448	tochi8890.exe	ttyoe.exe
PID 4784 wrote to memory of 3148	4784	ttyoe.exe	ttyoe.exe
PID 4784 wrote to memory of 3148	4784	ttyoe.exe	ttyoe.exe
PID 4784 wrote to memory of 3148	4784	ttyoe.exe	ttyoe.exe
PID 4784 wrote to memory of 3148	4784	ttyoe.exe	ttyoe.exe
PID 2716 wrote to memory of 3808	2716	Explorer.EXE	ipconfig.exe
PID 2716 wrote to memory of 3808	2716	Explorer.EXE	ipconfig.exe
PID 2716 wrote to memory of 3808	2716	Explorer.EXE	ipconfig.exe
PID 3808 wrote to memory of 1128	3808	ipconfig.exe	cmd.exe
PID 3808 wrote to memory of 1128	3808	ipconfig.exe	cmd.exe
PID 3808 wrote to memory of 1128	3808	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\tochi8890.exe
"C:\Users\Admin\AppData\Local\Temp\tochi8890.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:448

C:\Users\Admin\AppData\Local\Temp\ttyoe.exe
"C:\Users\Admin\AppData\Local\Temp\ttyoe.exe" C:\Users\Admin\AppData\Local\Temp\bbrolivjxb.em
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\ttyoe.exe
"C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"
3⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bbrolivjxb.em
Filesize
5KB

MD5
37c74f2e62c878a885e9b1b2731204a1

SHA1
0e6887424f72d065e7a7aed13acd8f9d520ec0de

SHA256
881f7918c6d8a141de26482cc98509bf3be3dbc5af52f345a160f052b633f41f

SHA512
6e79d452528a216667009c86ba994cb3ad6aa4ceef87983a20741c87fefbfed6ed0a9f30af90a46061738d0a6dfffe369e957f3867087bc342cc844ce6c91256

Download Submit
C:\Users\Admin\AppData\Local\Temp\grystrjwiw.upu
Filesize
185KB

MD5
3b23ce4832dd07031686ace33dd01dc8

SHA1
a6c1b097f577c7727bc495c693290b251cb3d95d

SHA256
a2911789f25f27f25dee4e8064921b5cc0daf8a32b31c1b28641773fcbf2ee61

SHA512
56aa25cc26a968df6bc34f1d433ec40508ef1bab51bda84c78b3d5396b90d02f7b3ecc30b29d9d461b3a010a844093c1d9b8a09ff610ea2c39ff2c313ce4b2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttyoe.exe
Filesize
355KB

MD5
d3c3a49590aae3fca49a9ba0721d8e9a

SHA1
0067538ee4356645d186202b15b1dd3345a21859

SHA256
9113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9

SHA512
2267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttyoe.exe
Filesize
355KB

MD5
d3c3a49590aae3fca49a9ba0721d8e9a

SHA1
0067538ee4356645d186202b15b1dd3345a21859

SHA256
9113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9

SHA512
2267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttyoe.exe
Filesize
355KB

MD5
d3c3a49590aae3fca49a9ba0721d8e9a

SHA1
0067538ee4356645d186202b15b1dd3345a21859

SHA256
9113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9

SHA512
2267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a

Download Submit
memory/1128-146-0x0000000000000000-mapping.dmp

Download
memory/2716-142-0x0000000008D30000-0x0000000008E85000-memory.dmp

Filesize
1.3MB

Download
memory/2716-151-0x0000000008E90000-0x0000000008FD6000-memory.dmp

Filesize
1.3MB

Download
memory/2716-150-0x0000000008E90000-0x0000000008FD6000-memory.dmp

Filesize
1.3MB

Download
memory/3148-137-0x0000000000000000-mapping.dmp

Download
memory/3148-141-0x0000000001600000-0x0000000001614000-memory.dmp

Filesize
80KB

Download
memory/3148-140-0x0000000001660000-0x00000000019AA000-memory.dmp

Filesize
3.3MB

Download
memory/3148-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-143-0x0000000000000000-mapping.dmp

Download
memory/3808-145-0x0000000000670000-0x000000000069F000-memory.dmp

Filesize
188KB

Download
memory/3808-144-0x0000000000660000-0x000000000066B000-memory.dmp

Filesize
44KB

Download
memory/3808-147-0x0000000001040000-0x000000000138A000-memory.dmp

Filesize
3.3MB

Download
memory/3808-148-0x0000000000E80000-0x0000000000F13000-memory.dmp

Filesize
588KB

Download
memory/3808-149-0x0000000000670000-0x000000000069F000-memory.dmp

Filesize
188KB

Download
memory/4784-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads